Hi Luke, El 31/03/2011, a las 16:16, Luke Howard escribió:
>> I know abfab is the lower-layer, but I thought the discussion was related >> with the possible need to protect the abfab lower-layer BEFORE the EAP >> authentication. > > > You can protect parts of the conversation that happen before the EAP > authentication, you just can't verify them until afterwards. That is clear. > > There was a separate question in the meeting about protecting application > data that happens before EAP authentication (such as SASL mechanism > negotiation), I suggested that you could use GSS channel bindings to protect > this. I see. > Or you could restart the negotiation within an integrity protected channel. Exactly. That integrity protected channel can be derived from the EAP key material and can be used to securely confirm the parameters exchanged during the unsecured negotiation phase. > > -- Luke ------------------------------------------------------- Rafael Marin Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: [email protected] ------------------------------------------------------- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
